September Security Newsletter

Stephen Kennedy - Lead Web Developer

Happy September everyone. The internet is still a vast hellscape of people who want to steal from you. So, business as usual.

This month's topic is email, and all the ways it can be used to steal from you or damage you or your company's reputation. With our topic, let's look at one potential attack vector: phishing. Phishing is pretty common these days, but if you're not familiar, we have a couple of blogs explaining the concept in a little more detail. But let's assume you get caught off guard by a phishing scheme and inadvertently compromise your account.

A vector style illustration of emails arriving on a smart phone.How many emails do we get a day?

What can they do now that they are in?

Unfortunately, this is the scary part, email accounts are a holy grail of online data theft. It's even worse if this is your primary email account, and the reason is simple. In addition to getting any information that might be stored in your email account, suddenly the attacker has potential access to all accounts linked to that email. Two-factor authentication can mitigate this risk to a large extent, but only if it is configured correctly and actively used, otherwise someone with access to your email account can just reset the passwords to all of your associated accounts and pull all sorts of data. You'll notice, our attacker is most likely not going to be interested in using your services for themselves. While this does happen, it's relatively rare as these kinds of actions are easy to track and shut down, leading to little to no gains from the attacker. What they are actually after is banking and credit card info, identity data like your social security number, or access to larger payout targets. Think about it as a business. While an attacker could get on your Netflix and completely ruin your recommendations by watching nothing but k-dramas, but it's not going to get them nearly as much as working backward from the last four digits of your credit card to determine what kind of card it is and possibly what bank you are with, cross reference that with passwords they know or can use, and then access your bank account directly, submitting a transfer to empty your savings into an account of their choosing.

A vector style illustration of a man talking about email.Surprisingly this is a problem you need to be aware of, no matter how careful you are.

But wait!

You say "I don't use my email for any of that. I still do all of my banking in person, I don't allow sensitive data in my email, and I use well configured and executed two-factor authentication on all of my services. Surely the most they can get from my email are some vaguely embarrassing typos and grammatical errors."

Well, you're wrong. They have the email addresses of everyone who has sent you email or you have sent email to, and they have control of your email account. They can impersonate you to give additional authority to another phishing attempt, getting your contacts to reveal their own information and gain access to those accounts. Depending on your email provider's attachment policy, they can send viruses and other malicious software to all of those contacts, potentially giving them access to a whole computer, in addition to email accounts. Any email account can be automated to help in DDOS attacks (by sending emails to a target server over and over), used to send spam advertisements for unscrupulous companies, and even used to prevent any other accounts that use your email server from sending emails by tanking the server's email reputation.

And to clarify a little on that last point. If you weren't aware, email as a protocol runs mostly via a reputation system. This is the first defense against spam. A lot of free email providers have enough clout to get themselves on what is called a gray lists, where it is known that because of the service they provide their email volume can look a lot like spam, but they control enough of the market that it would be irresponsible to blacklist them entirely, but because of the ease of access, you should treat emails from them slightly suspiciously and only block individual accounts. All that said, most businesses that have their own email service, don't use anything large enough to be graylisted, and when one account misbehaves a whole server can be blocked. This is an easy way to cause problems for a company or group of companies, effectively shutting down communication for days or weeks, depending on how fast your server administrators can react.

A vector style illustration of a man sitting on an email and shouting into a megaphone.This problem isn't going away, so we need to talk about it and stay aware.

What now?

So that's what can happen when you lose control of your email, but how do you prevent it?

The first line of defense is a good password. Luckily for everyone, a lot of signs point to passwords being dated and being too unwieldy for everything we are asking them to protect, and many new technologies and procedures are currently being introduced to try to replace passwords in the near future, so our future isn't chained to all of the passwords that we manage now, but until a widely accepted alternative is adopted our only option is responsible password habits and limiting our risk as best we can. We've written several blog posts about good passwords, but our most recent contains most of the advice you'll need. You can read it here: https://www.armortechs.com/your-passwords-are-the-weakest-link-here's-how-to-improve-them

The next defense is to minimize the risk of your email account. Use two-factor authentication with as many services as you can. If you're unfamiliar we also have an introduction to that: https://www.armortechs.com/additional-security-the-importance-of-twofactor-authentication

At this point, an account getting compromised is more of a certainty than something that you can prevent outright, so the best advice teaches you not only good habits to protect your data, but what to do when the worst comes around. To that end, it is always important to know how to report an account as compromised, and some kind of secondary contact information registered with all of your services so you can regain access to the account should an attacker change your password or otherwise try to lock you out.